CVE-2026-4210: A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326…

low2.1CVSS 4.0

AVNACLATNPRLUINVCLVILVALSCNSINSANEPCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX

A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected by this vulnerability is the function cgi_tm_set_share of the file /cgi-bin/time_machine.cgi. The manipulation of the argument Name results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

Affected

40 ranges· showing 25

Vendor	Product	Version range	Fixed in
d-link	dnr-202l	—	—
d-link	dnr-322l	—	—
d-link	dnr-326	—	—
d-link	dns-1100-4	—	—
d-link	dns-120	—	—
d-link	dns-1200-05	—	—
d-link	dns-1550-04	—	—
d-link	dns-315l	—	—
d-link	dns-320	—	—
d-link	dns-320l	—	—
d-link	dns-320lw	—	—
d-link	dns-321	—	—
d-link	dns-323	—	—
d-link	dns-325	—	—
d-link	dns-326	—	—
d-link	dns-327l	—	—
d-link	dns-340l	—	—
d-link	dns-343	—	—
d-link	dns-345	—	—
d-link	dns-726-4	—	—
dlink	dnr-202l_firmware	<= 2026-02-05	—
dlink	dnr-326_firmware	<= 2026-02-05	—
dlink	dns-1100-4_firmware	<= 2026-02-05	—
dlink	dns-1200-05_firmware	<= 2026-02-05	—
dlink	dns-120_firmware	<= 2026-02-05	—